|
Carol KP4MD
|
|
|
That John has had root access to KiwiSDRs has not been a secret for many years. To even a casual reader of the forum this has been obvious. Personally I have been aware of this and felt John was trustworthy and him having root access to a host on my private network and being able to help with troubleshooting had acceptable risk/benefit ratio.
What seems new is simply the high level publicity of this fact. Perhaps I'm being naive but the only new risk I see here is that the announcement may trigger increased hacking attempts. Hopefully the changes in v .461 have/will mitigate these risks.
Does anyone know of an instance where this 'vulnerability' has been exploited? Am I being silly with this perspective?
Glenn n6gn
toggle quoted message
Show quoted text
|
|
|
As I understand it the access was permitted from only one IP address so unless the miscreant managed to get hold of that base then launch attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many times without a moments hesitation. One thing a generation focussed on "correct" pronouns forgets is the morals and ethics of the older generation bare little resemblance to (many) of those today. People who lived most of their lives before the internet would generally not have stolen music or avoided paying for goods (like software).
I had a Chinese NVR that I had somehow forgotten the password to, support did not have a way for me to personally reset it at the hardware but if I just gave it internet access they would do it for me in minute... yeah no thanks. Half the complication of my home network subnets, NAT and firewall is aimed at using off the shelf CCTV bits without inviting a complete take over of my home network or being base for further attacks. It is probably illegal to export an item from country X without enabling a gov backdoor.
The fact that so many KiwiSDR's are still online makes me think that most users understand this event and have decided the intention was good if the inclusion does not suit today's world.
Has made me view the reporting of these events slightly differently, drama sells, click bait etc.
Stu
toggle quoted message
Show quoted text
On 17/07/2021 06:10, Glenn Elmore wrote:
That John has had root access to KiwiSDRs has not been a secret for many years. To even a casual reader of the forum this has been obvious. Personally I have been aware of this and felt John was trustworthy and him having root access to a host on my private network and being able to help with troubleshooting had acceptable risk/benefit ratio.
What seems new is simply the high level publicity of this fact. Perhaps I'm being naive but the only new risk I see here is that the announcement may trigger increased hacking attempts. Hopefully the changes in v .461 have/will mitigate these risks.
Does anyone know of an instance where this 'vulnerability' has been exploited? Am I being silly with this perspective?
Glenn n6gn
On 2021-07-16 13:55, Carol KP4MD wrote:
"On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone Black, or other computing devices the SDR hardware is connected to."
The full story is at https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/ <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
|
|
|
I share Glenn and Stu's perspective on this issue. Over the years John has demonstrated that he deserves our trust and appreciation for all of his work. Hopefully all of this negative publicity doesn't drive him away from further work on the Kiwi.
On Fri, Jul 16, 2021 at 10:41 PM Stu C < stu@...> wrote: As I understand it the access was permitted from only one IP address so
unless the miscreant managed to get hold of that base then launch
attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many
times without a moments hesitation. One thing a generation focussed on
"correct" pronouns forgets is the morals and ethics of the older
generation bare little resemblance to (many) of those today. People who
lived most of their lives before the internet would generally not have
stolen music or avoided paying for goods (like software).
I had a Chinese NVR that I had somehow forgotten the password to,
support did not have a way for me to personally reset it at the hardware
but if I just gave it internet access they would do it for me in
minute... yeah no thanks. Half the complication of my home network
subnets, NAT and firewall is aimed at using off the shelf CCTV bits
without inviting a complete take over of my home network or being base
for further attacks. It is probably illegal to export an item from
country X without enabling a gov backdoor.
The fact that so many KiwiSDR's are still online makes me think that
most users understand this event and have decided the intention was good
if the inclusion does not suit today's world.
Has made me view the reporting of these events slightly differently,
drama sells, click bait etc.
Stu
On 17/07/2021 06:10, Glenn Elmore wrote:
>
>
> That John has had root access to KiwiSDRs has not been a secret for
> many years. To even a casual reader of the forum this has been
> obvious. Personally I have been aware of this and felt John was
> trustworthy and him having root access to a host on my private network
> and being able to help with troubleshooting had acceptable
> risk/benefit ratio.
>
> What seems new is simply the high level publicity of this fact.
> Perhaps I'm being naive but the only new risk I see here is that the
> announcement may trigger increased hacking attempts. Hopefully the
> changes in v .461 have/will mitigate these risks.
>
> Does anyone know of an instance where this 'vulnerability' has been
> exploited? Am I being silly with this perspective?
>
> Glenn n6gn
>
>
> On 2021-07-16 13:55, Carol KP4MD wrote:
>
>> "On Wednesday, users learned that for years, their devices had been
>> equipped with a backdoor that allowed the KiwiSDR creator—and
>> possibly others—to log in to the devices with administrative system
>> rights. The remote admin could then make configuration changes and
>> access data not just for the KiwiSDR but in many cases to the
>> Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone
>> Black, or other computing devices the SDR hardware is connected to."
>>
>> The full story is at
>> https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>> <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
>
>
-- Rob Robinett AI6VN mobile: +1 650 218 8896
|
|
|
I agree and let's hope that John will continue to help us even if
it means one on one access. My recent ALE experiment was only
possible becaus eJohn had that access to one of my Kiwi's for
example
On 7/17/21 10:03 AM, Rob Robinett
wrote:
toggle quoted message
Show quoted text
I share Glenn
and Stu's perspective on this issue.
Over the years
John has demonstrated that he deserves our trust and
appreciation for all of his work.
Hopefully all
of this negative publicity doesn't drive him away from further
work on the Kiwi.
On Fri, Jul 16, 2021 at 10:41
PM Stu C < stu@...> wrote:
As
I understand it the access was permitted from only one IP
address so
unless the miscreant managed to get hold of that base then
launch
attacks the risk is small.
I too trust John and have made an SDR available to him via SSH
many
times without a moments hesitation. One thing a generation
focussed on
"correct" pronouns forgets is the morals and ethics of the
older
generation bare little resemblance to (many) of those today.
People who
lived most of their lives before the internet would generally
not have
stolen music or avoided paying for goods (like software).
I had a Chinese NVR that I had somehow forgotten the password
to,
support did not have a way for me to personally reset it at
the hardware
but if I just gave it internet access they would do it for me
in
minute... yeah no thanks. Half the complication of my home
network
subnets, NAT and firewall is aimed at using off the shelf CCTV
bits
without inviting a complete take over of my home network or
being base
for further attacks. It is probably illegal to export an item
from
country X without enabling a gov backdoor.
The fact that so many KiwiSDR's are still online makes me
think that
most users understand this event and have decided the
intention was good
if the inclusion does not suit today's world.
Has made me view the reporting of these events slightly
differently,
drama sells, click bait etc.
Stu
On 17/07/2021 06:10, Glenn Elmore wrote:
>
>
> That John has had root access to KiwiSDRs has not been a
secret for
> many years. To even a casual reader of the forum this has
been
> obvious. Personally I have been aware of this and felt
John was
> trustworthy and him having root access to a host on my
private network
> and being able to help with troubleshooting had
acceptable
> risk/benefit ratio.
>
> What seems new is simply the high level publicity of this
fact.
> Perhaps I'm being naive but the only new risk I see here
is that the
> announcement may trigger increased hacking attempts.
Hopefully the
> changes in v .461 have/will mitigate these risks.
>
> Does anyone know of an instance where this
'vulnerability' has been
> exploited? Am I being silly with this perspective?
>
> Glenn n6gn
>
>
> On 2021-07-16 13:55, Carol KP4MD wrote:
>
>> "On Wednesday, users learned that for years, their
devices had been
>> equipped with a backdoor that allowed the KiwiSDR
creator—and
>> possibly others—to log in to the devices with
administrative system
>> rights. The remote admin could then make
configuration changes and
>> access data not just for the KiwiSDR but in many
cases to the
>> Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>,
BeagleBone
>> Black, or other computing devices the SDR hardware is
connected to."
>>
>> The full story is at
>> https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>> <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
>
>
--
Rob Robinett
AI6VN
mobile: +1 650 218 8896
|
|
|
Carol KP4MD
I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies. The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.
|
|
|
kk6pr
" . . .Chinese IPs logged onto my KiwiSDR to monitor US military frequencies . . . The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling."
I'm more concerned about American fascists' access and use of my Kiwis. My IP Blacklist is full of them - I don't care what frequencies they want to listen to.
On Sat, Jul 17, 2021 at 12:58 PM Carol KP4MD < kp4md@...> wrote: I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies. The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.
|
|
|
KD2OM
Mine aren’t publicly listed but are available. I rarely see anyone else on it and I checked for incursion and found none. Plus I already had external admin console access closed. That said I did the update.
On Jul 17, 2021, at 18:09, kk6pr <pointreyes@...> wrote:
" . . .Chinese IPs logged onto my KiwiSDR to monitor US military frequencies . . . The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling."
I'm more concerned about American fascists' access and use of my Kiwis. My IP Blacklist is full of them - I don't care what frequencies they want to listen to.
On Sat, Jul 17, 2021 at 12:58 PM Carol KP4MD < kp4md@...> wrote: I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies. The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.
|
|
|
